How to configure and use NoScript


On the surface, NoScript appears to be a simple program—and it really is, actually—but some users have been daunted by the multiple selections that sometime show up on certain web sites. So, I want to explain what’s going on and give some guidance to those who feel a bit overwhelmed. First of all, some basic instruction into the two approaches to security is in order. You’re probably familiar with both approaches: blacklist and white list. We all want to be on the white list and don’t want to be on the blacklist.

The blacklist approach—the prevailing security method used by most security software today—is actually terribly unreliable, since it depends upon some authority or authorities to say that something is bad based on past behavior; this is the “trust everyone until they prove untrustworthy” approach. It’s a bad idea—probably the worst idea in computer security. The problem with this method is that you don’t know something is bad until the damage is already done and, as we know, the damage can be devastating. This boneheaded approach has resulted in some of the biggest security nightmares ever to hit the Internet. For example, Code Red and Nimbda worms spread with impunity a few years ago simply because Microsoft’s Internet Connection Firewall was turned off by default. As soon as XP SP2 came out with the firewall enabled by default the problem disappeared.

NoScript uses the white list approach to security; in other words, “if you ain’t on the the list, you ain’t getting in.” So, if you’re a script on a web page, you’re blocked until I put you on the white list and allow you to run. The white list approach is the safest since everything is blocked until you say it’s trusted; this is the “trust no one” (TNO) approach. The problem with this method is that it breaks everything on a web page that relies on scripting; however, you’ll never be hijacked or click-jacked by simply surfing to a web page. If you want to be as secure as you can be on the web, this is the only way to go.

Before I give you a few tips of my own on how to use NoScript, take a look at this short video that explains some its key features.

Now, let’s take a look at what those variations of the NoScript status bar icon represent. Here’s a screen shot from the site:

The more you use it, the more familiar you’ll get familiar with what all this means. You can change the settings at any time by left-clicking on the icon. One thing you are sure to notice is that some sites have several frames that are attempting to run scripts. For example, browse over to CNET.com with NoScript running and you’ll see a list of more than six different domains hosting scripts. For each of these sites, you have the following options: Allow, Temporarily allow, or, if you’ve previously allowed it, Forbid. You can allow scripts globally (don’t do that!), allow everything on the page, or temporarily allow everything on the page. Take a look at this shot and pay careful attention to the menu options and note the red and blue “trapped worm” symbol where a blocked ad would normally show:


I normally start by allowing the top level site and work my way up the list until the functionality I care about starts working. I usually don’t care about ads, so in most cases, I let them stay blocked. In this case, I trust CNET, so I’d be inclined to do an “Allow all this page” and read on. The beauty of NoScript is that you don’t have to worry about it: you’re in control.

The NoScript site has a very good FAQ that will answer most of your questions.

About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.